Whonix workstation browser fingerprint
169 views
Skip to first unread message
jasper...@gmail.com
Jun 8, 2016, 4:42:43 PM6/8/16
to qubes-devel
I've run a test on https://panopticlick.eff.org/ to see how 'anonymous' the Tor browser is on Whonix workstation.
It seems to have a 'nearly-unique' fingerprint. The problem seems to be the browsers window size/resolution (1000x600x24).
In total, the browser leaks about 14 bits of identifying information. whereas on SubgraphOS, this number is significantly lower (around 7 bits, if memory serves well)
Even with JavaScript disabled, it only reduces the amount of identifying information to 11 bits.
It seems to have a 'nearly-unique' fingerprint. The problem seems to be the browsers window size/resolution (1000x600x24).
In total, the browser leaks about 14 bits of identifying information. whereas on SubgraphOS, this number is significantly lower (around 7 bits, if memory serves well)
Even with JavaScript disabled, it only reduces the amount of identifying information to 11 bits.
Andrew David Wong
Jun 8, 2016, 4:50:42 PM6/8/16
to jasper...@gmail.com, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Sounds like this issue:
https://github.com/QubesOS/qubes-issues/issues/1856
But also note the Tor Project's stance on fingerprinting linkability:
https://www.torproject.org/projects/torbrowser/design/#fingerprinting-
linkability
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXWIUaAAoJENtN07w5UDAwli8P/imV2moQh8DChCElviFTkgnY
KHFy7tjSZ4TuCs8qfjCTIwxp7cDJcBc00IyuNIetZUd3ezN74pY1FOmG7BYkFkFu
GHT2XGM295oLnDEEzYTTGHpJMVsU2ljchAr+MCGVYlaIml0fQ+YQ6cainQe5wXlF
Xt/2c2c2tlNJpWwqhlqmSdqX/gAc2EvFWeIw/MBiYXbaxob9gCh4bE1pHsF9boDe
n3m7tHvWyfWIIrOuPnGY05LMEozVmtROEbCujrLHUNL6mPcKfE0SjE+7LZZp85Fs
Jh5oC/rvYTrlBtCe5ipNurI5yRlln82fWtjRkCc3VYKnz2NvzoprwBIFTWeInfqo
TjvDlU2+hhnQ/5vMUCkTmKF4tO0kv0aRoBvCPzdyZeVT5OdlyHOF81/ZEueqiNxf
BfjPWzt/jgkHXogFNG/g7NTpqsce+NqQdGnLiC2Ny0ahNeVh95V8aMOExfLBS0jk
OZW1G8oUlAxQ/zQav5E1sJKI1eBqOYZEdQAaJ0Ccnks8NyoEsa0JuPIwtLJp9aYb
RDv/UgPlVyWc9Ta9aPJyd4C0JNX0XhCOh6X6gB3itoHkxhvvVoF0sOkFqeYlV9sN
wNiKqUHcRpOJCgjZaKZsS75EoQKkQoNO0B9CX0tsReV4uz5M1cXrITjgQtBhht5p
NcqKX2P93SvJK+E8bhnq
=5guI
-----END PGP SIGNATURE-----
Hash: SHA512
https://github.com/QubesOS/qubes-issues/issues/1856
But also note the Tor Project's stance on fingerprinting linkability:
https://www.torproject.org/projects/torbrowser/design/#fingerprinting-
linkability
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXWIUaAAoJENtN07w5UDAwli8P/imV2moQh8DChCElviFTkgnY
KHFy7tjSZ4TuCs8qfjCTIwxp7cDJcBc00IyuNIetZUd3ezN74pY1FOmG7BYkFkFu
GHT2XGM295oLnDEEzYTTGHpJMVsU2ljchAr+MCGVYlaIml0fQ+YQ6cainQe5wXlF
Xt/2c2c2tlNJpWwqhlqmSdqX/gAc2EvFWeIw/MBiYXbaxob9gCh4bE1pHsF9boDe
n3m7tHvWyfWIIrOuPnGY05LMEozVmtROEbCujrLHUNL6mPcKfE0SjE+7LZZp85Fs
Jh5oC/rvYTrlBtCe5ipNurI5yRlln82fWtjRkCc3VYKnz2NvzoprwBIFTWeInfqo
TjvDlU2+hhnQ/5vMUCkTmKF4tO0kv0aRoBvCPzdyZeVT5OdlyHOF81/ZEueqiNxf
BfjPWzt/jgkHXogFNG/g7NTpqsce+NqQdGnLiC2Ny0ahNeVh95V8aMOExfLBS0jk
OZW1G8oUlAxQ/zQav5E1sJKI1eBqOYZEdQAaJ0Ccnks8NyoEsa0JuPIwtLJp9aYb
RDv/UgPlVyWc9Ta9aPJyd4C0JNX0XhCOh6X6gB3itoHkxhvvVoF0sOkFqeYlV9sN
wNiKqUHcRpOJCgjZaKZsS75EoQKkQoNO0B9CX0tsReV4uz5M1cXrITjgQtBhht5p
NcqKX2P93SvJK+E8bhnq
=5guI
-----END PGP SIGNATURE-----
jasper...@gmail.com
Jun 9, 2016, 5:48:18 AM6/9/16
to qubes-devel, jasper...@gmail.com
Sounds like this issue:
https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2FQubesOS%2Fqubes-issues%2Fissues%2F1856&sa=D&sntz=1&usg=AFQjCNFOBrxbRLUj8F97xqbyN77CIZj9Nw
Yes this seems to be the problem. I'm not sure why but the user-agent stands out quite a bit aswell. AFAIK it should be the same as the one from TBB on say Subgraph or Windows. I'll check if that's the case
entr0py
Jun 9, 2016, 9:49:55 AM6/9/16
to Andrew David Wong, jasper...@gmail.com, qubes-devel
Andrew David Wong:
(relevant code: https://gitweb.torproject.org/mikeperry/torbutton.git/tree/src/chrome/content/torbutton.js?h=1.5-next#n2201)
Depending on your definition of "anonymous", panopticlick may not be the best place to measure. How many non-paranoid, non-techie users visit panopticlick.eff.org? Hardly representative of the general population.
More importantly, Tor Browser will only make you "anonymous" relative to other Tor Browser users, not relative to the general population as a whole. A browser width of 1000 if likely *unique* to Tor Browser since many websites these days will use 1200+ pixels to draw optimally, and any "normal" user would expand the width of their browser.
>> have a 'nearly-unique' fingerprint. The problem seems to be the
>> browsers window size/resolution (1000x600x24).
>
Here are the results on panopticlick of various browser resolutions vs infobits:
1920x1080x24 2.36
1000x2000x24 17.16=unique
1000x1400x24 17.16
1000x1300x24 17.16
1000x1200x24 17.16
1000x1100x24 17.16
1000x1000x24 9.8
1000x900x24 7.59
1000x800x24 9.05
1000x700x24 8.03
1000x600x24 7.16
1000x500x24 10.44
1000x400x24 12.1
1000x300x24 17.16
Your resolution of 1000x600 is as good as it gets (for Tor Browser) :)
You can also see that if you want to appear to be a "normal" user (running at 1920x1080), you shouldn't use Tor Browser.
Some strange facts about Tor Browser browsers that have been tested on Panopticlick with JS Enabled (probably not many of the total browsers to begin with):
* Not a single Tor Browser out of 145,000+ total browsers was on a fairly common 27" 2560x1440 monitor...
* Even the ubiquitous 1920x1080 monitor lost to smaller screens (for Tor Browser).
* Out of 145,000+ total browsers, there were 31 Tor Browsers running at 1000x400! Probably VMs occupying fractional screen space (and not old-timers clinging to their 640x480 monitors). Or One Guy playing with his fingerprints.
>> In total, the browser leaks about 14 bits of identifying
>> information. whereas on SubgraphOS, this number is significantly
>> lower (around 7 bits, if memory serves well) Even with JavaScript
>> disabled, it only reduces the amount of identifying information to
>> 11 bits.
>
It would be really helpful to see the detailed comparison with Subgraph. What other variables differed besides screen size?
>
> Sounds like this issue:
>
> https://github.com/QubesOS/qubes-issues/issues/1856
>
> But also note the Tor Project's stance on fingerprinting linkability:
>
> https://www.torproject.org/projects/torbrowser/design/#fingerprinting-
> linkability
>
>
-------------------------------------------------
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
> On 2016-06-08 13:05, jasper...@gmail.com wrote:
>> I've run a test on https://panopticlick.eff.org/ to see how
>> 'anonymous' the Tor browser is on Whonix workstation. It seems to
Whonix doesn't make any changes to Tor Browser so it will be just as anonymous as it would on any other platform. I have not tried to reproduce the issue mentioned by Andrew below so I'm not sure what Qubes does differently. Any resolution that is a multiple of 200x100 (max width 1000) is a VALID Default Tor Browser resolution (depends on screen size).
>> I've run a test on https://panopticlick.eff.org/ to see how
>> 'anonymous' the Tor browser is on Whonix workstation. It seems to
(relevant code: https://gitweb.torproject.org/mikeperry/torbutton.git/tree/src/chrome/content/torbutton.js?h=1.5-next#n2201)
Depending on your definition of "anonymous", panopticlick may not be the best place to measure. How many non-paranoid, non-techie users visit panopticlick.eff.org? Hardly representative of the general population.
More importantly, Tor Browser will only make you "anonymous" relative to other Tor Browser users, not relative to the general population as a whole. A browser width of 1000 if likely *unique* to Tor Browser since many websites these days will use 1200+ pixels to draw optimally, and any "normal" user would expand the width of their browser.
>> have a 'nearly-unique' fingerprint. The problem seems to be the
>> browsers window size/resolution (1000x600x24).
>
1920x1080x24 2.36
1000x2000x24 17.16=unique
1000x1400x24 17.16
1000x1300x24 17.16
1000x1200x24 17.16
1000x1100x24 17.16
1000x1000x24 9.8
1000x900x24 7.59
1000x800x24 9.05
1000x700x24 8.03
1000x600x24 7.16
1000x500x24 10.44
1000x400x24 12.1
1000x300x24 17.16
Your resolution of 1000x600 is as good as it gets (for Tor Browser) :)
You can also see that if you want to appear to be a "normal" user (running at 1920x1080), you shouldn't use Tor Browser.
Some strange facts about Tor Browser browsers that have been tested on Panopticlick with JS Enabled (probably not many of the total browsers to begin with):
* Not a single Tor Browser out of 145,000+ total browsers was on a fairly common 27" 2560x1440 monitor...
* Even the ubiquitous 1920x1080 monitor lost to smaller screens (for Tor Browser).
* Out of 145,000+ total browsers, there were 31 Tor Browsers running at 1000x400! Probably VMs occupying fractional screen space (and not old-timers clinging to their 640x480 monitors). Or One Guy playing with his fingerprints.
>> In total, the browser leaks about 14 bits of identifying
>> information. whereas on SubgraphOS, this number is significantly
>> lower (around 7 bits, if memory serves well) Even with JavaScript
>> disabled, it only reduces the amount of identifying information to
>> 11 bits.
>
>
> Sounds like this issue:
>
> https://github.com/QubesOS/qubes-issues/issues/1856
>
> But also note the Tor Project's stance on fingerprinting linkability:
>
> https://www.torproject.org/projects/torbrowser/design/#fingerprinting-
> linkability
>
>
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
entr0py
Jun 9, 2016, 9:49:56 AM6/9/16
to Andrew David Wong, jasper...@gmail.com, qubes-devel
Just wanted to add that it's very easy to play with your Tor Browser screen size by using KDE's Window Rules.
Need to add 8 pixels of width to accomodate Qubes' borders.
And 100 pixels of height for Window Title, Tabs, etc.
Panopticlick measures the Interior Browser window.
This can also be a temporary workaround for Issue 1856.
Need to add 8 pixels of width to accomodate Qubes' borders.
And 100 pixels of height for Window Title, Tabs, etc.
Panopticlick measures the Interior Browser window.
This can also be a temporary workaround for Issue 1856.
Jasper Weiss
Jun 9, 2016, 1:52:15 PM6/9/16
to qubes-devel, a...@qubes-os.org, jasper...@gmail.com, 3n7...@vfemail.net
On Thursday, June 9, 2016 at 3:49:55 PM UTC+2, entr0py wrote:
More importantly, Tor Browser will only make you "anonymous" relative to other Tor Browser users, not relative to the general population as a whole. A browser width of 1000 if likely *unique* to Tor Browser since many websites these days will use 1200+ pixels to draw optimally, and any "normal" user would expand the width of their browser.
I know, but since there are so many Tor users that's a large group to hide in. My laptop for example has a more obscure screen resolution of 1366x768. So it makes sense to use a default that may be unique to the Tor browser, but is the same among all Tor browsers.
* Even the ubiquitous 1920x1080 monitor lost to smaller screens (for Tor Browser).
That seems to make sense since the TBB insists that the user use the default screen size.
>> In total, the browser leaks about 14 bits of identifying
>> information. whereas on SubgraphOS, this number is significantly
>> lower (around 7 bits, if memory serves well) Even with JavaScript
>> disabled, it only reduces the amount of identifying information to
>> 11 bits.
It would be really helpful to see the detailed comparison with Subgraph. What other variables differed besides screen size?
I'll make some screenshots of the results from Whonix compared to Subgraph. (I can't get the Tor browser to start on Subgraph atm)
It'd be interesting to see what makes Subgraph different from Whonix since they both use the exact same version of the Tor browser.
Of course it would be so much easier if one could just have an 'insider look' at the NSA so we know exactly what they're using to track Tor users :) Passive timing correlation seems somewhat far fedged to me since nodes are scattered across the globe. hacking into the endpoint seems most plausible but that doesn't work so well on Whonix..
entr0py
Jun 9, 2016, 3:16:27 PM6/9/16
to Jasper Weiss, qubes-devel, a...@qubes-os.org
Jasper Weiss:
>
The point of my previous post was that Tor Browser resolution is *not* the same among all Tor Browsers. The reason your Tor Browser defaults to 1000x600 at startup is precisely because your screen resolution is 1366x768 (my first guess was 1280x720 but that might drop you to 1000x500). 1000 is the max width and 600 is the max vertical your screen resolution supports (when you take into account taskbars, menu bars, tab bars, etc.) One guy turned his 1920x1200 monitor sideways, which basically meant he was using a unique browser. Even more dangerous is the fact that you can resize your Tor Browser to any unique value that you want (fix in progress: https://trac.torproject.org/projects/tor/ticket/14429).
As long as https://github.com/QubesOS/qubes-issues/issues/1856 still produces multiples of 200x100 screens, then it's more of an annoyance rather than a catastrophic bug. Instead of being lumped together with the Tor Browser users you were expecting, you're be grouped with other Tor Browser users instead. (Still useful to know why it happens though.)
>
> Of course it would be so much easier if one could just have an 'insider
> look' at the NSA so we know exactly what they're using to track Tor users
> :) Passive timing correlation seems somewhat far fedged to me since nodes
> are scattered across the globe. hacking into the endpoint seems most
> plausible but that doesn't work so well on Whonix..
>
Not that far-fetched - it's the motivation behind persistent entry guards. Nodes may be scattered across the globe but your packets are being streamed through one circuit at a time - each packet doesn't route randomly all over the world. The packets in each of your streams can be correlated. Also, no one needs to hack into your machine. While you may have your machine locked down and airtight, do you share the same confidence about your ISP? Your ISP is one of your endpoints too :) (They might even be a cooperative endpoint.)
>
>
> On Thursday, June 9, 2016 at 3:49:55 PM UTC+2, entr0py wrote:
>>
>> More importantly, Tor Browser will only make you "anonymous" relative to
>> other Tor Browser users, not relative to the general population as a whole.
>> A browser width of 1000 if likely *unique* to Tor Browser since many
>> websites these days will use 1200+ pixels to draw optimally, and any
>> "normal" user would expand the width of their browser.
>>
>
> I know, but since there are so many Tor users that's a large group to hide
> in. My laptop for example has a more obscure screen resolution of 1366x768.
> So it makes sense to use a default that may be unique to the Tor browser,
> but *is* the same among all Tor browsers.
>
> On Thursday, June 9, 2016 at 3:49:55 PM UTC+2, entr0py wrote:
>>
>> More importantly, Tor Browser will only make you "anonymous" relative to
>> other Tor Browser users, not relative to the general population as a whole.
>> A browser width of 1000 if likely *unique* to Tor Browser since many
>> websites these days will use 1200+ pixels to draw optimally, and any
>> "normal" user would expand the width of their browser.
>>
>
> I know, but since there are so many Tor users that's a large group to hide
> in. My laptop for example has a more obscure screen resolution of 1366x768.
> So it makes sense to use a default that may be unique to the Tor browser,
>
The point of my previous post was that Tor Browser resolution is *not* the same among all Tor Browsers. The reason your Tor Browser defaults to 1000x600 at startup is precisely because your screen resolution is 1366x768 (my first guess was 1280x720 but that might drop you to 1000x500). 1000 is the max width and 600 is the max vertical your screen resolution supports (when you take into account taskbars, menu bars, tab bars, etc.) One guy turned his 1920x1200 monitor sideways, which basically meant he was using a unique browser. Even more dangerous is the fact that you can resize your Tor Browser to any unique value that you want (fix in progress: https://trac.torproject.org/projects/tor/ticket/14429).
As long as https://github.com/QubesOS/qubes-issues/issues/1856 still produces multiples of 200x100 screens, then it's more of an annoyance rather than a catastrophic bug. Instead of being lumped together with the Tor Browser users you were expecting, you're be grouped with other Tor Browser users instead. (Still useful to know why it happens though.)
>
> Of course it would be so much easier if one could just have an 'insider
> look' at the NSA so we know exactly what they're using to track Tor users
> :) Passive timing correlation seems somewhat far fedged to me since nodes
> are scattered across the globe. hacking into the endpoint seems most
> plausible but that doesn't work so well on Whonix..
>
Jasper Weiss
Jun 9, 2016, 3:53:10 PM6/9/16
to qubes-devel, jasper...@gmail.com, a...@qubes-os.org, 3n7...@vfemail.net
On Thursday, June 9, 2016 at 9:16:27 PM UTC+2, entr0py wrote:
The point of my previous post was that Tor Browser resolution is *not* the same among all Tor Browsers. The reason your Tor Browser defaults to 1000x600 at startup is precisely because your screen resolution is 1366x768 (my first guess was 1280x720 but that might drop you to 1000x500). 1000 is the max width and 600 is the max vertical your screen resolution supports (when you take into account taskbars, menu bars, tab bars, etc.) One guy turned his 1920x1200 monitor sideways, which basically meant he was using a unique browser. Even more dangerous is the fact that you can resize your Tor Browser to any unique value that you want (fix in progress: https://trac.torproject.org/projects/tor/ticket/14429).
As long as https://github.com/QubesOS/qubes-issues/issues/1856 still produces multiples of 200x100 screens, then it's more of an annoyance rather than a catastrophic bug. Instead of being lumped together with the Tor Browser users you were expecting, you're be grouped with other Tor Browser users instead. (Still useful to know why it happens though.)
Oh I see, so it's not always 1000x600. In that case, it makes little sense to me. what's exactly the point of converting 1920x1080 to 1800x1000 and 1366x768 to 1000x600 etc. I suppose it deals with the fact that different platforms have different taskbar sizes so it's not actually 1920x1080 - 10 or so pixels?
> Of course it would be so much easier if one could just have an 'insider
> look' at the NSA so we know exactly what they're using to track Tor users
> :) Passive timing correlation seems somewhat far fedged to me since nodes
> are scattered across the globe. hacking into the endpoint seems most
> plausible but that doesn't work so well on Whonix..
Not that far-fetched - it's the motivation behind persistent entry guards. Nodes may be scattered across the globe but your packets are being streamed through one circuit at a time - each packet doesn't route randomly all over the world. The packets in each of your streams can be correlated. Also, no one needs to hack into your machine. While you may have your machine locked down and airtight, do you share the same confidence about your ISP? Your ISP is one of your endpoints too :) (They might even be a cooperative endpoint.)
Hmm yes, I suppose you're right. I'm using a VPN (from bitmask.net) in addition to Tor. Not sure to what extend that helps against traffic correlation but it doesn't hurt to have as an additional layer.
Patrick Schleizer
Jun 9, 2016, 4:44:50 PM6/9/16
to qubes...@googlegroups.com
See also The Tor Project's blog post on Panopticlick.
EFF's Panopticlick and Torbutton
https://blog.torproject.org/blog/effs-panopticlick-and-torbutton
EFF's Panopticlick and Torbutton
https://blog.torproject.org/blog/effs-panopticlick-and-torbutton
Reply all
Reply to author
Forward
0 new messages